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ABSTRACT 


yA  program  for  the  analytic  and  experimental  investigation  of 
reconf igurable  control  systems  is  described.  Its  principal 
objectives  are  to  extend  the  theory  of  artificial  intelligence 
and  to  develop  practical  methods  of  applying  artificial  intelli¬ 
gence  heuristics,  statistical  hypothesis  testing,  and  modern  con¬ 
trol  theory  to  the  reconfiguration  of  control  systems  following 
sensor  failures,  actuator  failures,  power  supply  or  transmission 
failures,  or  unforeseen  changes  in  dynamic  characteristics. 
Objectives  include  the  definition  of  typical  failure  modes  and 
effects;  formulation  and  investigation  of  algorithms  for  detec¬ 
tion,  identification,  estimation,  and  control;  numerical  simula¬ 
tion  of  failure  and  reconfiguration;  and  experimentation  using  a 
microprocessor-based  reconf igurable  control  system. 
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1.  INTRODUCTION 


1.1  STATEMENT  OF  THE  PROBLEM 

Performance,  reliability,  and  survivability  are  characteris¬ 
tics  that  should  be  possessed  by  control  systems  of  all  types, 
especially  those  used  in  helicopters,  tilt-rotor  vehicles,  and 
conventional  aircraft.  The  ability  to  complete  the  mission  is 
essential  to  a  military  aircraft’s  deployment,  and  while  the 
increasing  use  of  digital  systems  will  do  much  to  achieve  these 
goals,  increased  reliance  is  being  placed  upon  these  systems  to 
perform  flight  critical  and  flight  crucial  functions.  The  penal¬ 
ties  for  system  failure  are  severe,  so  it  is  desirable  to  design 
such  systems  from  the  beginning  for  fault  tolerance. 

As  is  well  known,  fault-tolerant  systems  must  either  be 
"robust"  or  "reconf igurable" ,  if  not  both.  In  the  first 
instance,  changes  in  the  system's  overall  input-output  character¬ 
istics  are  reduced  by  feedback  control,  and  judicious  choice  of 
the  feedback  gains  minimizes  the  system's  sensitivity  to  parame¬ 
ter  variations,  measurement  errors,  and  disturbance  inputs.  The 
degree  of  failure  that  can  be  accomodated  by  a  fixed  control  struc¬ 
ture  is  necessarily  more  restricted  than  that  of  a  variable  con¬ 
trol  structure.  In  the  second  case,  the  system  must  provide 

e  Fault  Detection 

•  Fault  Identification 

•  Control  Reconfiguration 


to  maintain  acceptable  (if  not  satisfactory)  performance.  A  sys¬ 
tem  that  is  fault  tolerant  through  an  ability  to  reconfigure  is, 
in  some  sense,  adaptive  and  redundant.  It  is  adaptive  because 


the  control  structure  that  is  best  for  the  nominal  configuration 
may  have  to  be  adjusted  for  off-nominal  operation,  as  results 
from  loss  or  degradation  of  sensors,  actuators,  and  power  sup¬ 
plies,  damage  to  signal  and  power  transmission  channels,  or  unex¬ 
pected  alteration  of  the  aircraft's  structural  and  aerodynamic 
configuration.  Its  redundancy  can  be  implemented  with  hardware 
or  software.  Hardware  redundancy  implies  parallel  measurements; 
software  ("analytic")  redundancy  implies  flexible  state  estima¬ 
tion  and  control  laws.  In  both  cases,  redundancy  improves  reli¬ 
ability  only  if  the  system  can  adjust  to  minimize  or  eliminate 
the  effects  of  the  failure,  either  implicitly  or  explicitly. 
Voting  or  averaging  schemes  overpower  the  failed  unit  implicitly, 
while  those  that  identify  and  remove  the  failed  unit  solve  the 
problem  through  explicit  knowledge  of  cause  and  effect,  applying 
artificial  intelligence  to  reconfigure  the  system. 

Intelligence  --  "the  general  mental  ability  involved  in  calcu¬ 
lating,  reasoning,  perceiving  relationships  and  analogies,  learn¬ 
ing  quickly,  storing  and  retrieving  information,  using  language 
fluently,  classifying,  generalizing,  and  adjusting  to  new  situ¬ 
ations",  according  to  The  New  Columbia  Encyclopedia  --  certainly 
would  appear  to  have  its  place  in  reconfiguring  a  control  system 
following  failure,  although  some  elements  of  the  definition  seem 
more  appropriate  for  the  study  of  linguistics  than  engineering. 
Nevertheless,  the  formalism  of  linguistics  --  including  the  iden¬ 
tification  of  rules  of  inference  and  the  hierarchical  relation¬ 
ship  between  morphemes  (sounds),  words,  syntax  (structure),  and 
semantics  (meaning)  --  may  have  parallels  that  can  be  exploited 
in  the  control  problem.  There  are  numerous  instances  in  which 
human  pilots  have  applied  their  own  intelligence  to  revise  con¬ 
trol  strategies,  having  perceived  system  damage  or  failure.  To 
the  extent  that  symbols  and  perceptions  reflect  knowledge  and  its 


interpretation,  there  is  an  analogy  to  detection,  identification, 
and  estimation.  "Artificial"  intelligence  (perhaps  better  called 
"machine"  intelligence)  seeks  to  quantify  the  heuristic  processes 
of  human  intelligence,  so  the  theory  forms  a  natural  bridge  to 
fault  detection  and  identification  in  highly  critic  l  control 
systems . 

Of  course,  fault  detection  and  identification  are  only  parts 
of  the  solution  to  the  problem.  Having  attained  knowledge,  it  is 
necessary  to  act  on  that  knowledge,  to  supplement  mind  with  mus¬ 
cle,  so  to  speak.  In  that  regard,  the  chosen  schema  for  control 
must  have  sound  foundations  in  the  physics  of  the  problem,  and 
there  must  be  sufficient  control  "power"  to  effect  the  solution. 
Furthermore,  it  is  necessary  to  demonstrate  the  process  end-to- 
end,  due  to  the  flight  critical/crucial  nature  of  control. 

1.2  BACKGROUND 

Research  in  artificial  intelligence  (AI)  and  fault-tolerant 
control  is  relatively  new,  as  the  computational  tools,  sensors, 
and  actuators  that  make  these  concepts  useful  did  not  exist  a  few 
decades  ago.  Possible  relationships  between  artificial  intelli¬ 
gence,  control  theory,  and  a  third  field  --  operations  research 
--  are  sketched  in  a  Venn  diagram  (Fig.  1)  taken  from  (1).  There 
it  is  suggested  not  only  that  these  are  overlapping  areas  of  con¬ 
cern  but  that  the  coupling  of  these  concepts  is  essential  to  the 
effective  use  of  any  one  of  them.  In  the  context  of  reconfigura- 
ble  control,  the  operations  research  function  can  be  subsumed  in 
the  control  design  function,  which  necessarily  requires  physical 
modeling  for  the  development  of  estimator/controller  gains  and 
structures . 
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Figure  1.  Venn  Diagram  of  Interdisciplinary  Issues  and  Expertise, 
(from  {1}) 


In  spite  of  the  natural  affinity  between  intelligence  and  con¬ 
trol,  it  appears  that  little,  if  any,  attention  has  been  directed 
to  applying  artificial  intelligence  to  fault  tolerant  control,  so 
independent  paths  must  be  charted  in  any  literature  search.  The 
principal  exception  to  this  finding  is  in  the  area  of  learning  con¬ 
trol  (also  called  self-organizing  or  intelligent  control)  (2-7), 
which  does  have  a  number  of  similarities  to  reconfigurable  control, 
and  which  might  be  distinguished  from  adaptive  (or  self-tuning)  con¬ 
trol  by  the  implied  breadth  of  possibilities  for  altering  the  con¬ 
trol  structure.  The  main  distinction  to  be  drawn  between  learn¬ 
ing  and  reconfigurable  control  is  that  the  former  places  emphasis 
on  "determining  how  to  do  things  right",  while  the  latter  empha¬ 
sizes  "deciding  what  to  do  when  things  go  wrong"!  There  is  a 
difference  in  the  time  scale,  dimensionality,  and  precision  of 


on  "determining  how  to  do  things  right",  while  the  latte-  empha¬ 
sizes  "deciding  what  to  do  when  things  go  wrong"!  There  is  a 
difference  in  the  time  scale,  dimensionality,  and  precision  of 
objectives  that  should  have  a  major  effect  on  feasible  control 
structures.  Nevertheless,  developments  in  learning  and  adaptive 
control  may  prove  helpful  in  the  present  project. 

For  the  most  part,  current  writings  on  artificial  intelligence 
deal  with  natural  language  processing,  expert  consulting  systems, 
theorem  proving,  combinatorial  and  scheduling  problems,  percep¬ 
tion  problems,  automatic  programming,  robotics,  and  data-base 
retrieval  {1}.  They  elaborate  on  reduction  of  heuristic-symbolic 
problem  statements  to  algorithmic-numeric  models,  on  search 
algorithms,  and  on  learning  and  training  {8-14} .  Some  of  the 
concepts  that  are  pertinent  to  the  reconf igurable  control  problem 
are  the  following: 

•  Hierarchical  representation,  interpretation,  and  goal  struc¬ 
ture 

•  Tree  search  with  refinement  (pruning  and  reordering) 

•  Hypothesis  testing,  pattern  recognition,  and  template  match¬ 
ing 

•  Rules  of  inference,  default  reasoning,  and  problem-solving 
paradigms 

•  Propositional  (or  predicate)  calculus 

•  Knowledge-based  systems  and  corresponding  symbol  structures 

•  Adaptation  and  strategies  for  resolution 

Reference  to  human  intelligence  characteristics  (15-17)  is  an 
underlying  factor  in  many  of  these  treatments,  and  the  character¬ 
ization  of  heuristic  symbols  and  systems  as  "fuzzy  sets"  and 
"fuzzy  automata"  have  their  parallels  in  stochastic  optimal 


Although  hierarchical  representations  will  have  utility  in 
reconf igurable  control,  not  all  such  structures  and  theories 
apply  to  the  problem.  Conventional  large-scale  systems  theory, 
though  related,  really  addresses  different  issues.  Typically,  a 
complex  system  is  decomposed  into  essentially  decoupled  subsys¬ 
tems,  and  decentralized  control  algorithms  are  developed  {19}. 
It  is  assumed  that  the  loosely  coupled  controllers  then  operate 
in  parallel.  Although  the  reconf igurable  flight  control  system 
may  present  a  wealth  of  control- structural  hypotheses,  it  is  not 
necessarily  "large  scale"  in  the  same  sense:  at  any  given  time, 
the  objective  is  to  identify  and  execute  the  best  single  control 
strategy  for  the  entire  system.* 

Not  surprisingly,  the  literature  on  f ault-tolerant  control  is 
more  directly  applicable  to  the  problem  at  hand.  As  mentioned 
previously,  the  notions  of  robustness  {20-22},  parallel  redun¬ 
dancy  {23-30},  and  analytic  redundancy  {30-34}  have  been  investi¬ 
gated,  and  self-tuning  regulators  {35-39}  should  be  added  to  this 
list.  There  is  not  room  here  to  address  these  accomplishments  in 
detail.  Instead,  we  might  ponder  what  remains  to  be  done  as  an 
introduction  to  the  current  program.  It  should  be  added  that 
improved  computer  reliability  is  a  separate  issue  that  is  not 
addressed  here. 

There  appear  to  be  seven  areas  of  f ault-tolerant  control  need¬ 
ing  additional  analytic  and  experimental  research: 


*  The  "best  single  control  strategy"  may  admit  the  usual  decou¬ 
pling  of  longitudinal  and  lateral-directional  flight  control 
under  many  circumstances. 
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•  Aerodynamic  and  structural  alterations  due  to  damage  or 
f ai lure 

•  Actuator  failure 

•  Power  supply  and  transmission  failure 

•  Multiple  component  failure 

•  Intermittent  failure  and  random  bias  shift 

•  Multi-microprocessing  for  real-time,  on-board  analytic 
redundancy 

•  Operation  in  heavy  turbulence 

In  addition,  continued  development  and  demonstration  of  sensor 
failure  detection  and  identification  is  warranted. 

The  problems  associated  with  power  supply  and  transmission 
failure  are  more  critical  than  the  loss  of  a  single  actuator,  as 
several  control  effectors  performing  different  functions  may  be 
lost  at  once.  Nevertheless,  such  failures  are  relatively  common 
in  non-combat  service,  and  battle  damage  can  induce  catastrophic 
loss  of  control  in  otherwise  flyable  aircraft.  The  related  issue 
of  generic  multiple  failures  should  be  studied.  Concurrent  mul¬ 
tiple  failures  often  are  ground-ruled  out  in  the  planning  stage, 
yet  these  are  the  type  most  likely  to  cause  trouble.  (Many  sin¬ 
gle-point  failures  are  not  catastrophic,  allowing  the  pilot  to 
continue  the  mission  or  return  to  base  within  a  reduced  flight 
envelope.)  Intermittent  sensor  failures  and  random  bias  shifts 
should  not  cause  instruments  to  be  taken  off  line  for  the  dura¬ 
tion  of  the  flight.  If  such  units  "heal"  or  if  their  new  biases 
are  identified,  they  should  be  returned  to  active  status,  and 
logic  must  be  developed  for  this  purpose.  Fault  detection  and 
identification  of  all  control  system  elements  could  be  affected 
adversely  by  heavy  turbulence,  so  algorithms  that  withstand  this 
environment  are  required. 
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1.3  PROGRAM  OF  RESEARCH 

The  research  program  begins  with  a  f ai lure-modes-and- 
analysis  based  upon  helicopter  and  aircraft  characteristi 
jected  for  the  1990s.  It  will  continue  with  the  defini 
Al-based  multiprocessor  algorithms  for  reconf igurable  cont 
with  the  design  of  experiments  for  such  systems.  These  c 
will  be  explored  in  all-digital  and  hybrid  simulation.  A 
processor  reconf igurable  control  system  will  be  construe 
programmed  for  testing  in  hybrid  simulation.  The  work  to 
ducted  can  be  summarized  as  follows: 

Preliminary  Development 

•  Specification  of  baseline  dynamic  characteristics 

•  Failure  modes  and  effects  analysis 

•  Review  of  applicable  artificial  intelligence  theory 

•  Initial  selection  of  fault  detection  and  identif 
(FDI)  approach 

•  Initial  selection  of  reconf igurable  control  approach 

•  Development  of  all-digital  numerical  simulation 

•  Specification  of  hybrid  simulation  experiments 

•  Hardware  specification,  assembly,  and  checkout 

Detail  Development 

•  Algorithm  research,  development,  and  refinement 

•  System  coding: 

-  Primary  estimation  and  control 

-  Executive  program  and  I/O  interfaces 

-  Experimental  logic 


Sensor  FDI 


Actuator  FDI 


-  Power  supply  and  transmission  FDI 

-  Aerodynamic  and  structural  FDI 

-  Multiple  and  intermittent  FDI 


Experimentation 

•  All-digital  simulation  experiments 

•  Hybrid  simulation  experiments: 

-  Reconfigured  estimation  and  control 

-  Sensor  FDI 

-  Actuator  FDI 

-  Power  supply  and  transmission  FDI 

-  Aerodynamic  and  structural  FDI 

-  Control  reconfiguration  with  sensor  failures 

-  Control  reconfiguration  with  actuator  failures 

-  Control  reconfiguration  with  power  supply  and  transmission 
f ai lures 

-  Control  reconfiguration  with  aircraft  and  structural  fail¬ 
ures 

-  Control  reconfiguration  with  multiple  failures 

-  Control  reconfiguration  with  intermittent  failures 

-  Control  reconfiguration  in  turbulence 


2.  TECHNICAL  DISCUSSION 


This  section  introduces  technological  foundations  of  the 
project.  Expert  systems,  production  systems,  and  an  example  are 
discussed  first  (Sections  2.1),  in  order  that  the  functions  to  be 
implemented  and  evaluated  can  be  viewed  in  proper  perspective. 
Similarly,  failure  modeling  for  computational  and  flight  experi¬ 
ments  (Section  2.2)  provides  insights  on  the  reconf igurable  con¬ 
trol  system's  operation.  The  overall  system  operation  is  dis¬ 
cussed  in  Section  2.3,  and  a  basic  methodology  for  fault 
detection  and  identification  incorporating  artificial  intelli¬ 
gence  concepts  appears  in  Section  2.4. 

An  overview  of  the  baseline  aircraft-control  configuration  is 
shown  in  Fig.  2.  The  primary  estimation  and  control  logic  has  a  con¬ 
ventional  structure,  as  might  be  found  in  an  LQG  or  classical 
controller-observer  implementation.  The  same  sensors  that  pro¬ 
vide  information  for  this  logic  drive  the  failure  detection,  identifi¬ 
cation,  and  reconfiguration  logic.  The  pilot  can  request  specific 
tests  or  restart  the  logic,  as  required.  This  feature  is  neces¬ 
sary  for  detecting  failures  in  the  pilot's  cockpit  controls,  and 
it  provides  a  means  of  augmenting  the  system's  artificial  intel¬ 
ligence  with  the  human  kind. 

It  is  most  appropriate  to  identify  the  subject  area  as  knowl¬ 
edge  engineering,  which  Feigenbaum  defines  as  "bringing  the  princi¬ 
ples  and  tools  of  AI  research  to  bear  on  difficult  applications 
problems  requiring  experts'  knowledge  for  their  solution"{40) . 
Specific  technical  issues  of  control  are  important  in  the  defini¬ 
tion  of  "intelligent  agents"  of  the  expert  and/or  production  sys¬ 
tems,  but  it  is  anticipated  that  AI  formalisms  will  have  syner¬ 
gistic  effects  in  control  system  design. 


be  identified  as  in  {41}: 


Task 

Interpretation 

Diagnosis 

Monitoring 

Prediction 

Planning 

Design 


Requirements 

Correct,  consistent,  complete 
analysis  of  data 
Fault  finding 

Recognition  of  alarm  conditions 
Reasoning  about  time, 
forecasting  the  future 
Defining  and  achieving  goals 
within  constraints  and  priorities 
Same  as  "Planning" 


All  of  these  are  important  in  the  context  of  reconf igurable  con¬ 
trol  systems,  but  there  is  a  need  to  go  beyond  the  stated 
requirements  because  interpretation,  diagnosis,  monitoring,  pre¬ 
diction,  and  planning  must  be  used  to  redesign  (or  reconfigure) 
the  control  system  in  "real  time",  i.e.,  with  negligible  delay. 
The  common  issues  of  large  solution  spaces,  tentative  reasoning, 
time-varying  systems,  and  "errorful"  data  must  be  addressed  using 
probabilistic  or  pseudo-probabilistic  models  of  the  controlled 
system  and  its  failed  states. 


The  expert  system  offers  an  improved  formalism  for  failure 
detection,  identification,  and  reconfiguration  (FDIR)  through 

•  Use  of  specialized  data  and  solution  structures 

•  Compilation  of  knowledge 

•  Transformations  of  knowledge  into  efficient  axiomatic  frames 


Whereas  previous  FDIR  algorithms  have  used  a  single,  generalized 
representation  of  failure  hypotheses,  e.g.,  a  bank  of  parallel 


Kalman  filters,  an  expert  system  can  consider  diverse  data 
sources  and  subproblem  abstractions.  While  some  failure  indica¬ 
tors  may  be  continuous  variables  generated  by  Kalman  filters, 
others  may  be  discrete  variables  from  finite-state  models.  Each 
of  these  indicators  can  be  considered  the  output  of  a  "produc¬ 
tion",  as  defined  below.  In  effect,  the  expert  system  can  be 
tuned  to  accept  such  information  in  a  balanced  way,  minimizing 
the  possibility  of  unnecessary  computation. 

Production  Systems  -  A  production  system  uses  procedures  (or 
productions)  to  generate  actions  predicated  on  a  data  base(ll). 
Each  production  has  a  unique  input-output  characteristic  that 
produces  certain  goal  conditions  from  initial  conditions.  In  the 
cleanest  case,  each  production  is  independent  of  every  other  pro¬ 
duction;  however,  in  many  situations,  there  is  coupling  between 
productions.  Consequently,  conflicts  occur  and  must  be  resolved, 
sometimes  requiring  logic  for  back-tracking  and  reevaluation.  A 
production  system  can  be  considered  an  expert  system  if  its  pro¬ 
ductions  capture  the  heuristics  of  experts. 

For  an  Al-based  reconf igurable  control  system,  the  productions 
are  computer  programs  (or  procedures  or  routines)  that  model  the 
normal  and  failed  characteristics  of  the  controlled  system. 
Thus,  the  productions  may  be  realizations  of  differential,  dif¬ 
ference,  algebraic,  or  transcendental  equations  that  model  the 
sensors,  actuators,  power  systems,  and  structure  of  the  control¬ 
led  system.  These,  in  turn,  may  incorporate  physical  modeling 
and  statistical  estimation  to  generate  failure  metrics,  which  are 
processed  in  response  to  requests  from  the  executive  logic. 


Example  of  Application  - 

rable  control  system 


A  qualitative  example 
implementation  can 


of  the  reconfigu- 
be  given  for 
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can 


clarification.  Consider  a  generic  jet  aircraft  of  modern  design. 
Its  control  effectors  are  highly  redundant,  including 


•  Elevator 

•  Rudder 

•  Ailerons 

•  Spoilers 

•  Flaps 

•  Slats 

•  Trim  Tabs 

•  Engine  Controls 

•  Thrust  Reversers 


Several  sub-systems,  e.g, ,  landing  gear  and  engine  bleed  air, 
have  control-like  effects  on  aircraft  motion  when  they  are 
deployed  or  engaged.  Each  control  effector  or  sub-system  will 
have  a  distinctive  input  signature,  consisting  of  a  unique  combination 
of  forces  and  moments  that  lead  to  unique  translational  and  rota¬ 
tional  accelerations  of  the  aircraft. 


Should  an  effector  fail,  there  are  alternate  ways  of  sensing 
the  failure,  and  each  associated  detection  algorithm  forms  the 
basis  of  an  AI  production.  Knowing  the  aircraft's  dynamic  model, 
the  ensuing  motions  provide  input  to  a  production  algorithm  that 
determines  which  input  signature  has  occurred,  in  turn  indicating 
which  effector  has  failed.  The  deflection  of  the  effector  itself 
may  be  measured,  leading  to  an  algebraic  (or  finite-state)  pro¬ 
duction  to  determine  if  the  effector  responds  to  control  com¬ 
mands.  Similar  measurements  can  be  made  for  the  effector's  power 
system  leading  to  yet  another  production.  Because  each  of  these 
indicators  is  subject  to  failure,  there  is  uncertainty  as  to 
whether  or  not  a  failure  actually  has 


occurred . 
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knowledge-based  production  system  then  assesses  the  probability 
(or  pseudo-probability)  of  a  failure,  and  the  expert  system 
decides  what  adjustments  should  be  made  to  the  control  system 
configuration.  For  example,  if  the  rudder  has  failed  to  its  null 
position,  the  ailerons  and  spoilers  may  be  commanded  using  dif¬ 
ferent  control  gains  or  feedback  paths.  If  a  left  wing  slat  has 
failed  "down"  (while  the  right  slat  still  is  "up"),  the  ailerons 
can  be  commanded  to  counteract  the  rolling  torque  that  results. 
Each  failure  mode  of  each  effector  is  modeled  by  an  AI  produc¬ 
tion,  and  other  f ai iure/damage  types  are  treated  in  like  fashion. 


2.2  FAILURE  MODES  AND  EFFECTS 

This  section  describes  the  modeling  and  simulation  of  failures 
in  an  aircraft's  flight  control  system  and  in  the  aircraft 
itself.  For  purposes  of  discussion,  consider  a  nonlinear  differ¬ 
ential  equation  model  of  the  baseline  aircraft  (to  be  simulated). 


x(t)  =  f [x( t) ,u(t) ,w' ( t) ) ,  x(0),  =  xQ 


where 


x 


[Va8pqr0$] 


T 


(2.2-1) 


(2.2-2) 


(2.2-3) 
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The  m  control  effectors  represent  conventional  and  unconventional 
devices,  and  they  may  be  redundant,  i.e.,  more  than  enough  to 
assure  complete  controllability  in  both  structural  and  qualita¬ 
tive  senses.  Equation  2.2-1  can  include  the  effects  of  closed- 
loop  control,  although  that  is  neglected  in  this  brief  discus¬ 
sion.  The  system  observation  equation  is 


z(t)  =  h[x(t) ,u(t) , w' (t) , v' (t) ] 


(2.3-4) 


where  v'(t)  represents  an  error  process.  At  trimmed  equilibrium, 
denoted  by  ( . ) *  , 

0  =  f[x*,u*,w'*]  (2.2-6) 


Perturbations  from  the  trimmed  condition,  A(.),  can  be  modeled 
by  linear  differential  and  algebraic  equations: 


Ax ( t )  =  FAx(t)  +  GAu(t)  +  LAw(t),  Ax(0)  =  AxQ  (2.2-6) 


Az  ( t )  =  CAx(t)  +  DAu(t)  +  EAv(t)  (2.2-7) 


0  =  FAx*  +  GAu*  +  LAW* 


(  2 . 2-8a ) 


Ax*  =  -F  (GAu*  +  LAW*) 


(  2 . 2 -8b) 


The  model  can  be  expanded  to  include  actuator,  sensor,  and  compu¬ 
tation  dynamics. 

The  types  of  failures  to  be  considered  are  the  following: 

•  Sensor  failures 

•  Actuator  failures 

•  Power  supply  and  transmission  failures 

•  Aerodynamic  and  structural  damage  or  failures 

The  device  and  system  failure  modes  include, 

•  Null  failure 

•  Hardover  failure 

•  Runaway  failure 

•  Random  process  failure 

•  Random  bias  failure 

•  Intermittent  failure 

while  aircraft  damage  or  failure  can  be  modeled  as  a  discrete 
change  in  dynamic  (F,G)  characteristics. 

It  is  apparent  that  all  of  these  failure  types  and  modes  can 
be  modeled  by  modifications  to  eq.  2.2-6  to  2.2-8.  Null  failures  of 
the  sensors  zero  the  appropriate  columns  of  (C,D,E),  while  null 
actuator  failures  zero  the  columns  of  G.  The  latter  affects  both 


dynamic  response  and  trim  equilibrium.  Hardover,  runaway,  and  ran¬ 
dom  failures  in  sensors  and  actuators  are  modeled  by  Ay  and  Aw, 
respectively.  Power  supply  and  transmission  failures  interrupt 
the  operation  of  sensor  and  actuator  groups;  therefore,  a  number 
of  matrix  columns  will  be  zeroed  in  this  instance.  Intermittent 
failures  simply  require  the  above  effects  to  be  switched  on  and 
off. 

When  the  baseline  configuration  includes  closed-loop  control, 
i.e.,  use  of  the  measurements  (eq.  2.2-7),  the  simulation  is  more 
complex  but  still  well-defined.  The  structure  of  the  baseline 
control  law  must  be  simulated,  with  the  failures  injected  accord¬ 
ingly. 

2.3  PRIMARY  CONTROL  OPERATION  AND  RECONFIGURATION 

The  baseline  configuration  will  be  assumed  to  have  a  primary 
digital  estimation  and  control  system  whose  gains  and  parameters 
will  be  modified  according  to  flight  condition  and  failure  state. 
For  discussion  purposes,  the  primary  system  will  consist  of  a 

full-state  estimator  and  a  proportional-integral-filter  (PIF)  control  law  (42). 

The  eighth-order  estimator  is  either  block  diagonal  or  block- 
diagonally-dominant ,  reflecting  the  usual  separation  into  longi¬ 
tudinal  and  lateral-directional  modes,  and  the  number  of  measure¬ 
ments  depends  upon  the  identified  failure  state  of  the  system. 
The  estimator  itself  provides  analytic  redundancy  when  the  opera¬ 
tional  sensors  are  fewer  than  normal.  Hardware  redundancy  man¬ 
agement  precedes  the  input  of  measurements  to  the  estimator, 
i.e.,  the  functions  of  analytic  and  parallel  redundancy  manage¬ 
ment  are  handled  separately.  Estimator  model  parameters  and 


gains  are  chosen  for  robustness. 


The  PIF  controller  is  inherently  robust.  Assuming  that  the 
baseline  aircraft  operates  with  conventional  command  modes  for 
up-and-away  flight,  there  would  be  four  pilot  inputs  (longitudi¬ 
nal  and  lateral  stick,  foot  pedals,  and  throttle);  hence,  there 
would  be  up  to  four  integrators  for  the  command  variables. 
(Assuming  that  pitch  rate  and  roll  rate  are  command  variables, 
only  two  "extra"  integrators  would  be  required  {43}).  Up  to  m 
low-pass  filters  can  be  associated  with  the  control  surface  com¬ 
mands,  although  it  is  likely  that  the  number  can  be  reduced  to 
four  under  most  circumstances,  reflecting  the  usual  number  of 
independent  controls.  Block-diagonal  dominance  applies,  and  the 
number  of  control  commands  depend  on  the  failure  state. 

In  normal  operation,  gains  would  be  scheduled  with  flight  con¬ 
dition;  therefore,  they  would  be  continually  varying.  Once  a 
failure  is  detected  and  identified,  the  appropriate  gains  could 
be  selected,  but  a  sudden  switch  could  produce  an  unacceptably 
large  transient  in  the  system,  particularly  if  control  settings 
are  large.  As  a  consequence,  the  gains  should  be  "faded"  from 
the  old  values  to  the  new  values  over  a  period  of  time  to  be 
determined  by  a  tradeoff  of  urgency  and  smoothness  {44}. 


2.4  ARTIFICIAL  INTELLIGENCE,  FAULT  DETECTION,  AND  IDENTIFICATION 


Much  of  artificial  intelligence  (AI)  relates  to  learning  about 
unknown  systems  from  observations  or  other  evidence  in  a  manner 
that  emulates  human  thought  processes.  Tasks  performed  almost 
unconsciously  by  humans  can  prove  quite  demanding  for  machines. 
Problems  deemed  too  difficult  for  individuals  often  are  referred 
to  panels  of  experts,  whose  combined  knowledge  is  used  to  form 
solutions.  The  questioning  of  an  individual  or  a  panel  of 
experts  is  analogous  to  the  retrieval  of  information  from  a  data 
base.  If  rule-based  deduction  is  used,  the  process  of  finding  an 
answer  can  be  called  "intelligent",  whether  human  or  artificial 
{11}.  An  objective  of  this  research  is  to  use  rule-based  deduc¬ 
tion  to  detect  and  identify  failures,  thereby  making  reconfigura¬ 
tion  possible. 

Deduction  implies  searching  a  hierarchical  tree  of  possibili¬ 
ties.  At  each  node  there  must  be  rules  and  criteria  for  continu¬ 
ing  along  a  particular  branch.  In  the  context  of  system  fail¬ 
ures,  the  probabilities  of  each  choice  conditioned  by  the  available 
observations  provide  a  rational  set  of  criteria,  and  Bayes's  rule 
provides  a  reasonable  selection  process.  It  also  is  necessary  to 
develop  logic  which  retains  more  than  one  possibility  in  the 
search  long  enough  to  identify  possibly  subtle  hypotheses  and 
which  knows  when  to  stop;  hence,  there  is  a  need  for  optimal 
pruning  and  stopping  rules  {45}. 

AI  heuristics  will  prove  most  valuable  in  formulating  FDI 
hierarchical  structure  and  in  identifying  faults  on  an  inferen¬ 
tial  basis.  In  the  first  instance,  all  failure/damage  modes  and 
effects  must  be  classified  and  arranged  in  levels.  For  example, 
the  hierarchy  for  failure  modes  might  be 


•  System 

•  Function 

•  Axis 

•  Device 

•  Characteristic 


while  that  for  failure  effects  might  be 

•  Abnormal  motion 

•  Axis 

•  Forcing  function 

•  Source 

In  the  second  case,  rules  of  inference  would  process  a  number  of 
observations  in  a  production  system  to  deduce  a  failure.  For 
example,  combined  loss  of  left  aileron,  loss  of  air  data  from 
sensors  mounted  on  the  left  wing,  ana  rapid  roll  rate  could  infer 
damage  to  the  left  wing.  To  some  extent,  this  sort  of  reasoning 
is  invoked  in  operational  systems  {46},  although  formal  connec¬ 
tions  to  AI  are  not  identified  and  the  scope  of  the  application 
does  not  include  aircraft  damage. 

The  familiar  concepts  of  sequential  probability  ratio,  gener¬ 
alized  likelihood  ratio,  and  multiple  model  testing  {31,47-55} 
have  potential  application  to  the  actual  computations,  and  refer¬ 
ence  to  the  general  area  of  fault- tolerant  avionics  is  warranted 
{56-62}.  It  is  desirable  that  a  minimum  number  of  full-state 
estimators  be  used,  with  each  failure  state  modeled  by,  at  most, 
a  low-order  process  or  "moving  window"  estimate  of  the  probabil¬ 
ity  density  function  (also  called  the  likelihood  function)  or  its 
logarithm.  For  example,  with  the  Gaussian  assumption,  the  log 
likelihood  function  estimate  for  the  A1"  failure  hypothesis  based 


on  a  moving  window  of  N  data  points  can  be  expressed  as 


k 

Lft(k)  =  (1/N)  {{A2i  “  +  +  EA^)  ]aTra-1|  .  ] 

i=k-N+l 


where  Ax  is  the  state  estimate,  is  the  measurement  co 
matrix  associated  with  the  failure  state,  and  c  is  a  c 
Then  the  log  likelihood  ratio  of  hypotheses  A  and  B  is  si 

LAB ( k )  =  LA(k>  "  LB<k> 


and  the  decision  rule  is 


•  LAB(k)  5  a< 

•  a  <  LAB(k)  <  b' 

*  LAB<k>  k  b' 


Accept  Hypothesis  A 
Accept  previous  hypothesis 
Accept  Hypothesis  B 


The  process  is  made  efficient  by  defining  failure  signat 
each  hypothesis  {31}. 


The  hierarchical  approach  suggests  that  differing 
types  be  processed  separately  and  that  a  minimal  amount  o 
tation  be  carried  out  at  any  given  time.  Accordingly,  th 
separates  sensor  FDI,  which  can  be  associated  with  the  ai 
outputs,  from  actuator/aircraft  FDI,  which  can  be  associa 
control  inputs  and  dynamic  response  characteristics.  In 
(unfailed)  state,  it  may  be  sufficient  to  carry  two  hyp 


the  system  is  failed  or  not.  On  detecting  that  an  unspecified 
failure  has  occurred,  the  logic  expands  the  number  of  hypotheses 
to  determine  which  aircraft  axes  are  involved.  On  determining 
the  axes,  the  hypotheses  associated  with  unfailed  axes  are 
dropped,  and  more  specific  hypotheses  related  to  systems  and 
individual  components  are  brought  on  line. 

All  FDI  results  would  be  broadcast  over  a  data  bus  so  that 
appropriate  adjustments  can  be  made.  For  example,  once  a  partic¬ 
ular  sensor  is  declared  failed,  this  information  would  be  used  to 
reconfigure  the  primary  estimation  logic  and  to  modify  the  actua¬ 
tor/aircraft  FDI  logic. 


3.  CONCLUSION 


A  concept  and  program  for  applying  artificial  intelligence 
theory  to  improving  the  fault  tolerance  of  control  systems  has 
been  described.  The  concept  includes  both  subjective  and  objec¬ 
tive  logic  for  detecting  failures,  identifying  failed  components, 
and  reconfiguring  control  paths  to  maintain  acceptable  perform¬ 
ance.  The  program  is  directed  at  realizing  the  concept  through 
analysis,  system  design,  hardware  implementation,  and  experimen¬ 
tal  evaluation.  Program  results  will  have  fundamental  applica¬ 
tion  to  the  formulation  of  future  control  structures. 
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